libsndfile: CVE-2014-9756: division by zero leading to denial of service in psf_fwrite()

Debian Bug report logs - #804447
libsndfile: CVE-2014-9756: division by zero leading to denial of service in psf_fwrite()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libsndfile: CVE-2014-9756: division by zero leading to denial of service in psf_fwrite()

Date: Sun, 08 Nov 2015 17:23:36 +0100

Source: libsndfile
Version: 1.0.25-5
Severity: normal
Tags: security upstream
Forwarded: https://github.com/erikd/libsndfile/issues/92

Hi,

the following vulnerability was published for libsndfile.

CVE-2014-9756[0]:
division by zero leading to denial of service in psf_fwrite()

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9756
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1177254
[2] https://github.com/erikd/libsndfile/commit/725c7dbb95bfaf8b4bb7b04820e3a00cceea9ce6
[3] https://github.com/erikd/libsndfile/issues/92
[4] https://bugzilla.novell.com/show_bug.cgi?id=953521

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 804447-close@bugs.debian.org (full text, mbox, reply):

From: Erik de Castro Lopo <erikd@mega-nerd.com>

To: 804447-close@bugs.debian.org

Subject: Bug#804447: fixed in libsndfile 1.0.25-10

Date: Wed, 11 Nov 2015 01:50:53 +0000

Source: libsndfile
Source-Version: 1.0.25-10

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Erik de Castro Lopo <erikd@mega-nerd.com> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 10 Nov 2015 20:36:47 +1100
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs libsndfile1-dbg sndfile-programs-dbg
Architecture: source amd64
Version: 1.0.25-10
Distribution: unstable
Urgency: low
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: Erik de Castro Lopo <erikd@mega-nerd.com>
Description:
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dbg - debugging symbols for libsndfile
 libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
 sndfile-programs - Sample programs that use libsndfile
 sndfile-programs-dbg - debugging symbols for sndfile-programs
Closes: 774162 804445 804447
Changes:
 libsndfile (1.0.25-10) unstable; urgency=low
 .
   * debian/patches :
     - Add 02_sd2_buffer_read_overflow.diff (CVE-2014-9496, closes: #774162).
     - Add 03_file_io_divide_by_zero.diff (CVE-2014-9756, closes: #804447).
     - Add 04_fix_aiff_heap_overflow.diff (CVE-2015-7805, closes: #804445).
   * debian/control: Standards version 3.9.6. No changes needed.
Checksums-Sha1:
 d934446abfa2c193b07dd8a0ebe923cd13643d2f 2105 libsndfile_1.0.25-10.dsc
 e95d9fca57f7ddace9f197071cbcfb92fa16748e 1060692 libsndfile_1.0.25.orig.tar.gz
 295b6d86cecd95217bea5c567a04578035f81acc 12352 libsndfile_1.0.25-10.debian.tar.xz
 955b9bdd61600c700bcbd70767ce14ca682b6fcd 360730 libsndfile1-dbg_1.0.25-10_amd64.deb
 c5b2a3026056de6f362cc0d6b9cfd5236384f7e5 723262 libsndfile1-dev_1.0.25-10_amd64.deb
 286ad76177d34316cb61c594394582692487dfbf 214452 libsndfile1_1.0.25-10_amd64.deb
 5520fa0b2d70fbdf8d53848d321507aff794e16c 139390 sndfile-programs-dbg_1.0.25-10_amd64.deb
 ef4a71eae9478ecc01627dd28a540ef00c5e3461 109642 sndfile-programs_1.0.25-10_amd64.deb
Checksums-Sha256:
 22528941859174d0cf517fbb6791f3408087d750aa873aa102e6ca263a45529b 2105 libsndfile_1.0.25-10.dsc
 59016dbd326abe7e2366ded5c344c853829bebfd1702ef26a07ef662d6aa4882 1060692 libsndfile_1.0.25.orig.tar.gz
 5ffa6a5449cde6e8c4076066eb0cdac99acd9186744fbd000bbe854cc505e7ab 12352 libsndfile_1.0.25-10.debian.tar.xz
 ca5808061ce025a074b447a5fb367dbea9a482db71a75d4acd1194abb5b6509a 360730 libsndfile1-dbg_1.0.25-10_amd64.deb
 a2be7fb91b5b05ec7bd26b4df998df0783ec0658a7e4891be2b74a585eaba7d1 723262 libsndfile1-dev_1.0.25-10_amd64.deb
 cc56434aeb5298d8c82cfe9fbbebe978f09580aa6b6e5161ad337064d5944fee 214452 libsndfile1_1.0.25-10_amd64.deb
 d053b4fef815c358731936dbbc5c820de6300f1eb8dce0b3db845363fd06ac31 139390 sndfile-programs-dbg_1.0.25-10_amd64.deb
 d514c5c5676dea2658b4c63929cd74992a90911414b74c527a5514183b682863 109642 sndfile-programs_1.0.25-10_amd64.deb
Files:
 5425b5d95112c6856f7fde9178f5b988 2105 devel optional libsndfile_1.0.25-10.dsc
 e2b7bb637e01022c7d20f95f9c3990a2 1060692 devel optional libsndfile_1.0.25.orig.tar.gz
 80e0b31bab2e18565c05f0068762c7b1 12352 devel optional libsndfile_1.0.25-10.debian.tar.xz
 881aa240f1da7ab49100905c6e77bc1c 360730 debug extra libsndfile1-dbg_1.0.25-10_amd64.deb
 730b4114324b69efc3ffd936a9bb47b7 723262 libdevel optional libsndfile1-dev_1.0.25-10_amd64.deb
 b5415929db68755065a2a0f1ea0828e8 214452 libs optional libsndfile1_1.0.25-10_amd64.deb
 b57ab2473a42a1ba1c5665aa701a9f63 139390 debug extra sndfile-programs-dbg_1.0.25-10_amd64.deb
 9a16c05897c07e2df779e8e75315d9f0 109642 utils optional sndfile-programs_1.0.25-10_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJWQpq4AAoJENfPZGlqN0++OYUP/j0CZVb6n2oX6Y8Qd9bGG+D9
rLb/X+dPGfHA6kaJo80uzQtO7UD+/pCPYNMkbGQWdgNFy/MSMGB+x89FU64w0Dtu
BSx9B9/Udpe1JHOhf4TyNWoxaLQMUYBwT9T3mZM3KAO7aS3S/W+GKEmVkTXwFeqi
/RiX//RZf7ABtSggdsjBTEpDGbfQmDcNeJU4McOVyKcGjltzQYY7iOZ/uRFm2Oqb
Qj0T9CLK02PxajiaU4eCJ7MC6i8Tt205oJZ6H/EnvOBFSDD32fhES24XjNnNOGG8
dvJM2CBSP6m9NaaTk1IfU0EL1J3WIWzuf22TlBQflpCq2cGqsZW+5SQ6VNcOLJ4A
kuYOOGr1d+KH/+1VECrf4JyyHPA+KAP+T2yqYZ3DXwwrP3uacGaKO+j6Vjv1WwPM
Rb8zhOh9BJmNkmm4bWXK1AOkFpqtdEYWDn2z2fnOGM5im8YbT/+gqI78QPDn0xFe
4JITxR4bks2EhJwiPMisrRlSAZtgA8ejeEGcvDHmw/6CtuC/RV562mui1hP6Vd/I
Uen4y6Ibqj0yeTY5UfNgiipISHTUIWZcNCZ6ue5A2Yne7jE+6z0cNbq5HB1EULJt
wm8e/kQLjth4/g4CHSjHfPCgvoAlJr5Cm1I6O6ySgm/vsiCz6LhS0GkabvStXl61
3+EjfOWE440Y0FnhIYYc
=JDnR
-----END PGP SIGNATURE-----

Message #15 received at 804447-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: 804447-close@bugs.debian.org

Subject: Bug#804447: fixed in libsndfile 1.0.21-3+squeeze2

Date: Mon, 30 Nov 2015 13:19:52 +0000

Source: libsndfile
Source-Version: 1.0.21-3+squeeze2

We believe that the bug you reported is fixed in the latest version of
libsndfile, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 804447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated libsndfile package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 30 Sep 2015 11:03:02 +0100
Source: libsndfile
Binary: libsndfile1-dev libsndfile1 sndfile-programs
Architecture: source i386
Version: 1.0.21-3+squeeze2
Distribution: squeeze-lts
Urgency: high
Maintainer: Erik de Castro Lopo <erikd@mega-nerd.com>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 libsndfile1 - Library for reading/writing audio files
 libsndfile1-dev - Development files for libsndfile; a library for reading/writing a
 sndfile-programs - Sample programs that use libsndfile
Closes: 774162 804445 804447
Changes: 
 libsndfile (1.0.21-3+squeeze2) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * debian/patches :
     - Add 102_sd2_buffer_read_overflow.diff (CVE-2014-9496, closes: #774162).
     - Add 103_file_io_divide_by_zero.diff (CVE-2014-9756, closes: #804447).
     - Add 104_fix_aiff_heap_overflow.diff (CVE-2015-7805, closes: #804445).
Checksums-Sha1: 
 4ee7de4aa13d8b743395a52f3b78e60e9056afeb 2056 libsndfile_1.0.21-3+squeeze2.dsc
 136845a8bb5679e033f8f53fb98ddeb5ee8f1d97 1014722 libsndfile_1.0.21.orig.tar.gz
 6ca902f8c6e3069e111f18078f60fed40fb392bf 12160 libsndfile_1.0.21-3+squeeze2.debian.tar.gz
 9440b09c7473fba04e8c9f16a8f73a3b7954c94a 366168 libsndfile1-dev_1.0.21-3+squeeze2_i386.deb
 f49f3da8ff65662ab5f8b9ee3fafa8a402b3d9f8 237374 libsndfile1_1.0.21-3+squeeze2_i386.deb
 c0716d0b52fa4388b32b5b0bdfcebcfc0e8b8658 107182 sndfile-programs_1.0.21-3+squeeze2_i386.deb
Checksums-Sha256: 
 adc5b0b11d5c4c8c2954bbc579a07f13a409486c005f15a710360173affa283f 2056 libsndfile_1.0.21-3+squeeze2.dsc
 7e9083a2551ff347276d82cdb61f2b4f9cd137c0b76433800e991583ded8ea67 1014722 libsndfile_1.0.21.orig.tar.gz
 d2dc253b243ee12e0e3701e3b0e0880e5793ea4691fc30825a1afea4b4a9fec3 12160 libsndfile_1.0.21-3+squeeze2.debian.tar.gz
 3cd3fcecdc9e7821ba98a897f5ee7fabc8e2d3e1e176533a1de3bc39d2271b27 366168 libsndfile1-dev_1.0.21-3+squeeze2_i386.deb
 f325c5aaaaa45d03eea89694a4660d02c26eeb2a603dd2701cb697881ec54a99 237374 libsndfile1_1.0.21-3+squeeze2_i386.deb
 c4543c03a3f281c7b2495ec43e69f4286950acda02456f5d6847b5f124ef0f42 107182 sndfile-programs_1.0.21-3+squeeze2_i386.deb
Files: 
 4b8528f7f287428c7ae5c79f5380f900 2056 devel optional libsndfile_1.0.21-3+squeeze2.dsc
 880a40ec636ab2185b97f8927299b292 1014722 devel optional libsndfile_1.0.21.orig.tar.gz
 0320ecab5d382b40a8bbe732530f2319 12160 devel optional libsndfile_1.0.21-3+squeeze2.debian.tar.gz
 92059eb05e48c84c09ca77f71523dc99 366168 libdevel optional libsndfile1-dev_1.0.21-3+squeeze2_i386.deb
 5136622747052c47cf0a1281d335d07c 237374 libs optional libsndfile1_1.0.21-3+squeeze2_i386.deb
 9782e906da5fd503a5ee05f8c57a6d15 107182 utils optional sndfile-programs_1.0.21-3+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJWXEnjXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHVjoQAIxBB8wINi9qatc9muO5+p9k
Q4IqZQDZ/mkVuvUrfyQhmWvUwFr0N6sGg0TiYrULygANi56tR/NDIkamQ0hahqKw
ewn5Qvq9UheDV0kq5mJT+b0XcideptG6WdeQv/6wPZ/1Cwp95nydyQFnvldn38T6
nIPzERM3m8oaxxz/jkhWy282GRrCUOtXn19+/1il/dimxe64Plv4mRD5VFZ7nPF9
CX35AtEFz2mczxqMr0CRlUg0MK1cXHXzb4KRKiCLtomwKDdkaNw/+2qPb5NblU+b
LCY+huBpWIwVFihpRt8VxFpkQR4Ib15ckX71Ecq08LPi5sygCvzoqdo3/oSl/wVi
CX7PGg55mWgSH95rKkAYDZAteTo5IknR93fJ0XLT4709wMmSTj9xDpbNRmMq1iOY
1WJTQpWdYQJrYjdSZMZ+2ZS3nJ2buSCJi53IZDqRUeIsrqImlCIsCZMale2es8jI
dao/eLVsm2RIX9+3ZOW/h4MmopN6dYRR4JtJfpqgHtO//hE7js9KyCuNCQC0ZXEF
dVg5ZEGykp9cQOkIxsxHdo0a3sCRh41R+2souYiA1NXzZxkCudlUe2Be2JDV+P0b
Z8Pwe4bshEgBUVRbYeYyJXBVrzCqO859GbfpVOYNEclyC7KsYQls0OXNS6LOtzSB
TgVJJ0Dx9ZxYuh4wyuwW
=olp3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.